Postavel
ReviewAudited by ClawScan on May 10, 2026.
Overview
Postavel appears to be a real social-media MCP integration, but review is advised because its setup can run unpinned remote installer code with elevated privileges and the connected agent can publish or manage public social posts.
Install only if you trust Postavel and the mcporter installation source. Prefer a reviewed, pinned mcporter install over the curl-to-bash or sudo latest-binary path. After connecting, use a least-privileged Postavel account and require confirmation before publishing, deleting, auto-approving, or bulk-approving social media posts.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running the recommended setup command could execute unreviewed remote code on the user's machine.
The skill recommends executing a remote installer directly in a shell. The remote script is not pinned or checksum-verified in the artifacts, so the user would run code whose contents may differ from the reviewed files.
curl -fsSL https://postavel.com/install-mcp | bash
Avoid curl-to-bash installation where possible. Install mcporter from a trusted package manager or review and pin the installer contents before running it.
A compromised download source or changed latest release could install a malicious executable with elevated local-system impact.
The installer can download the latest mcporter binary and place it in a system executable path with sudo, without a pinned version, checksum, or signature verification.
sudo curl -L -o /usr/local/bin/mcporter "$URL" sudo chmod +x /usr/local/bin/mcporter
Pin mcporter to a specific verified release and verify checksums or signatures before installing, especially when writing to /usr/local/bin with sudo.
If the agent misunderstands a request, it could create, publish, approve, or delete social content in the user's connected Postavel workspace.
The MCP tools can publish, approve, and delete posts. This is expected for a social media management skill, but these are high-impact actions affecting public or business accounts.
create_post ... status ... 'published' ... auto_approve ... Immediately approve ... approve_post ... delete_post
Require explicit user confirmation before publishing, auto-approving, bulk-approving, or deleting posts.
The agent can act within the user's Postavel permissions, including workspace and brand access that may reach connected Facebook, Instagram, or LinkedIn accounts.
The setup flow grants the AI assistant OAuth-backed access to the user's Postavel account. This is purpose-aligned, but it is still delegated account authority.
Authorize the AI assistant to access your account
Use the least-privileged Postavel role that supports your needs and revoke OAuth access from Postavel settings when no longer needed.
Content and account metadata used in prompts may be transmitted to the Postavel MCP service to perform requested actions.
The skill routes agent actions through an external MCP server. This is the core integration path, but users should understand that post content, scheduling details, workspace identifiers, and media URLs may be sent to Postavel.
MCP Server URL: `https://postavel.com/mcp/postavel`
Only send content and media URLs you are comfortable sharing with Postavel and verify the MCP server URL before authenticating.